← Back to Explore
sigmacriticalHunting
Hacktool Execution - Imphash
Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed
Detection Query
selection:
Hashes|contains:
- IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932
- IMPHASH=3A19059BD7688CB88E70005F18EFC439
- IMPHASH=bf6223a49e45d99094406777eb6004ba
- IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1
- IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC
- IMPHASH=F9A28C458284584A93B14216308D31BD
- IMPHASH=6118619783FC175BC7EBECFF0769B46E
- IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA
- IMPHASH=563233BFA169ACC7892451F71AD5850A
- IMPHASH=87575CB7A0E0700EB37F2E3668671A08
- IMPHASH=13F08707F759AF6003837A150A371BA1
- IMPHASH=1781F06048A7E58B323F0B9259BE798B
- IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5
- IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D
- IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2
- IMPHASH=713C29B396B907ED71A72482759ED757
- IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F
- IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E
- IMPHASH=8B114550386E31895DFAB371E741123D
- IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793
- IMPHASH=9D68781980370E00E0BD939EE5E6C141
- IMPHASH=B18A1401FF8F444056D29450FBC0A6CE
- IMPHASH=CB567F9498452721D77A451374955F5F
- IMPHASH=730073214094CD328547BF1F72289752
- IMPHASH=17B461A082950FC6332228572138B80C
- IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9
- IMPHASH=819B19D53CA6736448F9325A85736792
- IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E
- IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74
- IMPHASH=0588081AB0E63BA785938467E1B10CCA
- IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C
- IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29
- IMPHASH=4DA924CF622D039D58BCE71CDF05D242
- IMPHASH=E7A3A5C377E2D29324093377D7DB1C66
- IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF
- IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE
- IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4
- IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338
- IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E
- IMPHASH=E6F9D5152DA699934B30DAAB206471F6
- IMPHASH=3AD59991CCF1D67339B319B15A41B35D
- IMPHASH=FFDD59E0318B85A3E480874D9796D872
- IMPHASH=0CF479628D7CC1EA25EC7998A92F5051
- IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51
- IMPHASH=D6D0F80386E1380D05CB78E871BC72B1
- IMPHASH=38D9E015591BBFD4929E0D0F47FA0055
- IMPHASH=0E2216679CA6E1094D63322E3412D650
- IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB
- IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798
- IMPHASH=11083E75553BAAE21DC89CE8F9A195E4
- IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80
- IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F
- IMPHASH=767637C23BB42CD5D7397CF58B0BE688
- IMPHASH=14C4E4C72BA075E9069EE67F39188AD8
- IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC
- IMPHASH=7D010C6BB6A3726F327F7E239166D127
- IMPHASH=89159BA4DD04E4CE5559F132A9964EB3
- IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F
- IMPHASH=5834ED4291BDEB928270428EBBAF7604
- IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38
- IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894
- IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74
- IMPHASH=3DE09703C8E79ED2CA3F01074719906B
- IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F
- IMPHASH=E96A73C7BF33A464C510EDE582318BF2
- IMPHASH=32089B8851BBF8BC2D014E9F37288C83
- IMPHASH=09D278F9DE118EF09163C6140255C690
- IMPHASH=03866661686829d806989e2fc5a72606
- IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d
- IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE
- IMPHASH=19584675D94829987952432E018D5056
- IMPHASH=330768A4F172E10ACB6287B87289D83B
- IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313
- IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC
- IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28
- IMPHASH=96DF3A3731912449521F6F8D183279B1
- IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46
- IMPHASH=51791678F351C03A0EB4E2A7B05C6E17
- IMPHASH=25CE42B079282632708FC846129E98A5
- IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20
- IMPHASH=59223B5F52D8799D38E0754855CBDF42
- IMPHASH=81E75D8F1D276C156653D3D8813E4A43
- IMPHASH=17244E8B6B8227E57FE709CCAD421420
- IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4
- IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C
- IMPHASH=40445337761D80CF465136FAFB1F63E6
- IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6
- IMPHASH=B50199E952C875241B9CE06C971CE3C1
condition: selection
Author
Florian Roth (Nextron Systems)
Created
2022-03-04
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.credential-accessattack.resource-developmentattack.t1588.002attack.t1003
Raw Content
title: Hacktool Execution - Imphash
id: 24e3e58a-646b-4b50-adef-02ef935b9fc8
status: test
description: Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2022-03-04
modified: 2024-11-23
tags:
- attack.credential-access
- attack.resource-development
- attack.t1588.002
- attack.t1003
logsource:
category: process_creation
product: windows
detection:
selection:
Hashes|contains: # Sysmon field hashes contains all types
- IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam
- IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam
- IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam
- IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato
- IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato
- IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG
- IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato
- IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato
- IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato
- IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato
- IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump
- IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump
- IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump
- IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump
- IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump
- IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump
- IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump
- IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump
- IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump
- IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX
- IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump
- IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump
- IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump
- IMPHASH=730073214094CD328547BF1F72289752 # Htran
- IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons
- IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons
- IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons
- IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons
- IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump
- IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump
- IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump
- IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump
- IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump
- IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump
- IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump
- IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump
- IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump
- IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump
- IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump
- IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump
- IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump
- IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump
- IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump
- IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump
- IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump
- IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz
- IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz
- IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader
- IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader
- IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader
- IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader
- IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump
- IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi
- IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi
- IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi
- IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi
- IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi
- IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi
- IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi
- IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi
- IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi
- IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi
- IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi
- IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE
- IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE
- IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers
- IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert
- IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert
- IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert
- IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte
- IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet
- IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook
- IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz
- IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller
- IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller
- IMPHASH=96DF3A3731912449521F6F8D183279B1 # Backstab
- IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 # Backstab
- IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 # Backstab
- IMPHASH=25CE42B079282632708FC846129E98A5 # Forensia
- IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20 # EDRSandBlast
- IMPHASH=59223B5F52D8799D38E0754855CBDF42 # EDRSandBlast
- IMPHASH=81E75D8F1D276C156653D3D8813E4A43 # EDRSandBlast
- IMPHASH=17244E8B6B8227E57FE709CCAD421420 # EDRSandBlast
- IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4 # EDRSandBlast
- IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C # EDRSandBlast
- IMPHASH=40445337761D80CF465136FAFB1F63E6 # EDRSandBlast
- IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6 # EDRSilencer
- IMPHASH=B50199E952C875241B9CE06C971CE3C1 # EventLogCrasher
condition: selection
falsepositives:
- Legitimate use of one of these tools
level: critical